PROTECTION OF YOUR PERSONAL DATA 


This is a generic privacy statement, for processing personal data related to managing award 
procedures for procurement, grants and the selection of experts, and managing the execution of 
(procurement and experts) contracts and implementation of agreements (grants). 


Processing operation: Managing award procedures for procurement, grants and the selection of 
experts, and managing the execution of (procurement and experts) contracts and implementation of 
agreements (grants) 


Data Controller: European Commission 


Record reference: DPR-EC-05067.1 
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1. Introduction 


The European Commission (hereafter ‘the Commission’) is committed to protect your personal data 
and to respect your privacy. The Commission collects and further processes personal data pursuant 
to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on 
the protection of natural persons with regard to the processing of personal data by the Union 
institutions, bodies, offices and agencies and on the free movement of such data (repealing 
Regulation (EC) 45/2001). 


This privacy statement explains the reason for the processing of your personal data, the way we 
collect, handle and ensure protection of all personal data provided, how that information is used and 
what rights you have in relation to your personal data. It also specifies the contact details of the 
responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and 
the European Data Protection Supervisor. 


This privacy statement concerns the processing operation ‘managing award procedures for 
procurement, grants and the selection of experts, and managing the execution of (procurement and 


experts) contracts and implementation of agreements (grants)’, undertaken by the Commission as 
presented below. 


2. Why and how do we collect your personal data? 


Purpose of the processing operation: The processing of personal data by the European Commission is 
necessary when managing award procedures (procurement, grants, experts) and managing the 
execution of contracts (procurement, experts) and the implementation of agreements (grants) 
concluded during the procedures. These processing operations are under the responsibility of the 
European Commission as Controller, regarding the collection and processing of personal data. 


Your personal data will not be used for any automated decision-making including profiling. 


If you are an external data subject, upon receipt by the European Commission of information related 
to an award procedure, contract or agreement (e.g. application document, communication) from 
you, personal data may be collected and processed by Commission services for the purpose of 
managing the procedure, contract or agreement. 


If you are an internal data subject, personal data may be collected and processed by Commission 
services as part of you using corporate eProcurement IT tools which support managing award 
procedures, the execution of contracts (procurement, experts) and the implementation of 
agreements (grants). 


3. On what legal ground(s) do we process your personal data 


The legal basis for the processing operations on personal data is Regulation (EU, Euratom) 2018/1046 
of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the 
general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 
1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 
283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012, 
(hereafter "the Financial Regulation") in particular Articles 160-179 for the procurement procedures, 
Articles 180-200 for the grant application and Articles 237-238 for selection of experts. In addition, 
financing decisions form part of the legal basis for a processing operation, where applicable, in line 
with Article 110 of the Financial Regulation. 


The processing operations on personal data carried out in this context of are necessary and lawful 
under Article 5(1)(a), (b) and (c) of Regulation (EU) 1725/2018: 


(a) processing is necessary for the performance of a task carried out in the public interest or in the 
exercise of official authority vested in the Union institution or body; 


(b) processing is necessary for compliance with a legal obligation to which the controller is subject ; 


(c) processing is necessary for the performance of a contract to which the data subject is party or in 
order to take steps at the request of the data subject prior to entering into a contract. 


4. Which personal data do we collect and further process? 


External data subjects provide personal data when they: 
e participate in an award procedure regarding procurement, grants or the selection of experts; 
and 
e execute a contract (procurement, expert) or implement an agreement (grant) that has been 
awarded to them. 
Internal data subjects provide personal data when they: 
e manage an award procedure regarding procurement, grants or the selection of experts; 


manage the execution of a contract (procurement, expert) or implementation of an 
agreement (grant); 

develop, maintain and support the use of corporate eProcurement IT systems which support 
the above purpose as part of business processes; and 

access corporate eProcurement IT systems for the purpose of acquisitions via a procurement 
procedure or contract, or for performing a monitoring, audit or inspection task in application 
of European Union law. 


Types of personal data 

Depending on whether the data subject is external or internal to the Commission, different data may 
be processed including: 

Data subject external to the Commission: 


Identification data: name, surname, passport number, ID number, IP address; 

Function; 

Contact details (e-mail address, business telephone number, mobile telephone number, fax 
number, postal address, company name and department, country of residence, internet 
address); 

Certificates for social security contributions and taxes paid, extract from judicial records; 
Financial data: bank account reference (IBAN and BIC codes), VAT number; 

Information for the evaluation of selection criteria or eligibility criteria: expertise, technical 
skills and languages, educational background, professional experience including details on 
current and past employment; 

Declaration on honour or the equivalent with regard to exclusion criteria, selection criteria 
and/or eligibility criteria; and 

System related data: European Commission Authentication Service (EU Login) login name 
and password (only stored in EU Login), security data/log files (for audit trails). 


Data subject internal to the Commission: 


5. 


Identification data: name, surname, email address, IP address; 

Organisational data: organisation, directorate, unit, etc.; 

Procedural data; Contracting Authority; 

Assignments and role; and 

System related data: European Commission Authentification Service (EU Login) login name 
and password (only stored in EU Login), security data/log files (for audit trails). 


How long do we keep your data? 


Your personal data are kept as follows: 


For a procurement award procedure, data are retained for a period of 10 years following the 
procedure’s closure, although: 


for unsuccessful tenderers, data specific to the tenderer are retained for 5 years following 
the closure of the procedure; 


for unsuccessful candidates in response to an invitation to request to participate or 
successful candidates who did not subsequently tender, data specific to the candidate are 
retained for 5 years following the closure of the procedure; and 


for candidates to a Call for Expressions of Interest, data specific to the candidate are retained 
for, whichever is later: 1) 5 years after the list’s validity end date; 2) 5 years after the 
signature of the last contract concluded with a procedure based on the list; 3) 10 years after 
the signature of the last contract concluded with a procedure based on the list for which the 
candidate was a successful tenderer. 


As regards data collected when managing the execution of the contract, these are retained for 10 
years following last payment made under the contract. 


Data collected during the grant award procedure are retained for 10 years, although data from 
unsuccessful applicants are retained for 5 years following the closure of the procedure. 


As regards data collected when managing the implementation of the grant agreement, these are 
retained for 10 years following the last payment under the agreement. 


Data regarding the drawing up and maintaining of experts’ lists and the management of experts’ 
contracts are retained for 10 years, while data related to unsuccessful experts are eliminated five 
years after the closure of the procedure. 


Notwithstanding the above retention periods, it should be noted that: 


e As part of its general document management practices, a Commission file concerned with an 
award procedure, contract or agreement and which includes data may be selected or 
sampled at the end of the retention period, as a result of which some data may be retained 
in the Commission’s Historical Archives; 


e any retention of data may be temporarily extended if a monitoring, audit on inspection task 
in application of European law (e.g. internal audits, the Financial Irregularities Panel referred 
to in Article 93 of the Financial Regulation, the Exclusion Panel referred to in Article 143 of 
the Financial Regulation, European Anti-fraud Office - OLAF) is ongoing; and 


e any action performed in corporate eProcurement IT systems by data subjects under their EU 
login is recorded without time limit in order to enable queries on financial, contractual and 
accounting matters as well as for audit trail purposes. 


6. How do we protect and safeguard your personal data? 


Where data are in an electronic form, they are stored on servers of the European Commission. 
Security requirements ensure that only designated persons have the possibility to access the data 
kept for the purpose of undertaking the processing operations. 


Where data are kept in a paper format, they are stored in the premises of the competent services of 
the European Commission. Access into the premises and within the premises is controlled. 


7. Who has access to your data and to whom is it disclosed? 


For the purpose detailed above, access to your personal data is given to the following persons, 
without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection 
task in accordance with European Union law: 


e Commission staff members [members of the institutions, agencies and bodies participating in 
the award procedure in the case of inter-institutional procurement] as well as external 
experts and contractors who work on behalf of the Commission for the purposes of: 1) 
managing award procedures for procurement, grants and the selection of experts; 2) 
managing the execution of (procurement and experts) contracts and the implementation of 
grant agreements; 3) developing, maintaining and supporting the use of corporate 
eProcurement IT systems. 

e for contracts awarded as part of a procurement procedure, Commission staff who may use 
the contract or may use the information (excluding personal data) related to the contract for 
the sole purpose of future procurement procedures; 

e bodies charged with a monitoring, audit or inspection task in application of European Union 
law; 


e members of the public who receive data of contractors or beneficiaries which is made public 
in accordance with the Financial Regulation, particularly Articles 38(2), 163 and 189(2). The 
data is published in supplement S of the Official Journal of the European Union and/or on the 
applicable website of the Commission. Additionally, selected experts may be listed in the 
Register of Commission Expert Groups of the Commission on 
http://ec.europa.eu/transparency/regexpert/. For more information on the provision of this 
register see record DPR-EC-00656 in the Data Protection Officer’s registry on 
http://ec.europa.eu/dataprotectionofficer.Additionally, selected experts may be listed in the 
Register of Expert Groups of the Commission on 
http://ec.europa.eu/transparency/regexpert/. 


8. What are your rights and how can you exercise them? 


You have specific rights as a ‘data subject’ under Chapter Ill (Articles 14-25) of Regulation (EU) 
2018/1725, in particular the right to access, rectify or erase your personal data and the right to 
restrict the processing of your personal data. Where applicable, you also have the right to object to 
the processing or the right to data portability. 


You have the right to object to the processing of your personal data, which is lawfully carried out on 
grounds relating to your particular situation. 


Special attention is drawn to the consequences of a request for deletion, as this may lead to an 
alteration of the terms of the tender and lead to rejection in line with Articles 151 and 141 of the 
Financial Regulation. 


You can exercise your rights by contacting the Data Controller, or in case of conflict the Data 
Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their 
contact information is given under Heading 9 below. 


Where you wish to exercise your rights in the context of one or several specific processing 
operations, please provide their description (i.e. their Record reference(s) as specified under Heading 
10 below) in your request. 


9. Contact information 


- The Data Controller 

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, 
questions or concerns, or if you would like to submit a complaint regarding the collection and use of 
your personal data, please feel free to contact the Data Controller by using the contact information 
mentioned in, for instance, a notice in the Official Journal of the European Union, invitation to 
participate or invitation to tender pertaining to the award procedure, the contract or the agreement, 
and by explicitly specifying your request. 


- The Data Protection Officer of the European Commission 
You may contact the Data Protection Officer (data-protection-officer@ec.europa.eu) with regard to 
issues related to the processing of your personal data under Regulation (EU) 2018/1725. 


- The European Data Protection Supervisor (EDPS) 

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection 
Supervisor, https://edps.europa.eu:data-protection/our-role-supervisor/complaints en or 
edps@edps.europa.eu, if you consider that your rights under Regulation (EU) 2018/1725 have been 
infringed as a result of the processing of your personal data by the Data Controller. 


10. Where to find more detailed information? 


The Commission Data Protection Officer (DPO) publishes the register of all processing operations on 
personal data by the Commission, which have been documented and notified to him. You may access 
the register via the following link: http://ec.europa.eu/dpo-register. 


This specific processing operation has been included in the DPO’s public register with the following 
Record reference: DPR-EC-05067.1. 


